China on Cyberattacks: US Is Pot Calling the Kettle Black

It didn't take long for China to claim it too has been on the receiving end of many a data hack. The latest in that developing story, along with a new round of Java exploits and some interesting -- and contentious --observations at the annual RSA conference, marked another busy week in the cybersecurity world.

By John P. Mello Jr.
03/04/13 6:00 AM PT

After taking it on the chin for its alleged attacks on U.S. media outlets -- and for its army reportedly backing hackers engaged in cyberespionage around the world -- China returned fire.

The government claimed its defense and military ministries' websites are being bombarded with 144,000 hacking attacks a month from the U.S. However, China didn't try to link the attacks to the U.S. government -- for good reason.

"It's a fallacy that because an attack comes from an IP geolocated within a certain country, that country is then responsible for the attack," Jeffrey Carr, CEO of
Taia Global
and author of "Inside Cyber Warfare: Mapping the Cyber Underworld," told TechNewsWorld.

U.S. Internet service providers tolerate more malicious behavior on their systems than they should, Carr added. That makes it easy for foreign nationals to buy server time with bogus credentials, so the source of an attack stemming from the U.S. could be someone outside the country.

A Stuxnet Fossil

It was revealed last week that Stuxnet, the infamous attack code, may be older than originally thought. Symantec researchers discovered a sample of the malware that was actively used in 2007 and could date back to 2005.

Stuxnet 0.5, as the researchers call it, could be the missing link between Stuxnet 1.0, which disrupted Iran's nuclear development program, and super worm Flame, which was discovered after Stuxnet but is believed to predate it.

Zero Day Redux

The never-ending saga of Java also continued last week. Researchers at FireEye found hackers exploiting a newly discovered vulnerability in Java. The exploit is being used to install a remote-access Trojan called McRat.

Meanwhile, Adobe pushed yet another security patch for its Flash Player to its users as February came to an end. It was the third patch of the month.

Google's two-factor authentication was in the limelight when researchers at Duo Security found a loophole that exploited its method for issuing unique passwords for applications. Google fixed the flaw before the researchers made it public.

Better Than Signatures

A lot of new products are introduced whenever the annual RSA conference is held in San Francisco. Among this year's crop was Trend Micro's Custom Defense Product, which includes targeting command and control activity from attacks like Advanced Persistent Threats.

Post-Crypto World

RSA isn't just about products; the conference can also court controversy. During one panel session, a founding father of cryptology, Adi Shamir, declared the security industry had entered a post-crypto era.

"It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system," he said. "We need to think about security in a post-cryptography world."

Whether we're in that world or not, cryptography is here to stay, countered Bogdan Botezatu, a senior e-threat analyst with Bitdefender.

"Cryptography may have its flaws, it even may lend a helping hand to cybercrooks, but this does not mean that we're going to stop using it anytime soon," he told TechNewsWorld.

"In a world where mobile communication and strict security checks are part of the day-to-day fight with cybercrime, simply ditching encryption altogether would increase the prevalence of attacks to a point where we wouldn't have any privacy and data integrity at all," he said. "Even though crippled to some extent, cryptography still makes a huge difference."

Breach Diary.

Feb. 26. Ponemon Institute study reveals 46 percent of organizations do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

Feb. 28. Study by Javelin Strategy and Research shows that 22.5 percent of people who receive a data breach notice become victims of identity theft.

Mar. 1. Dropbox users report receiving spam to email accounts associated with a data breach of the service that occurred last year. Dropbox says it doesn't believe the spam barrage is a new problem or related to a new data breach.